Our Products

Zeroing in on Zero-Day Exploits

A zero-day attack is an attack that targets publicly known but still unpatched software vulnerabilities, the so-called “window of vulnerability”. Hackers concentrate on finding vulnerabilities in widely-used software such as Windows, browsers, and security packages. Zero-day exploits have hit Adobe products (Flash, Reader), Internet Explorer, Java, Mozilla Firefox, Windows, Microsoft Office, and many others.

Once a vulnerability is found, the hacking community is alerted through social sites, chat, and emails. Hackers get busy developing exploits to take advantage of the vulnerability, and either code or exploit kits become available for sale on the Internet. There are currently efforts afoot to regulate the sale of zero-day exploits. Dutch politician Marietje Schaake has been crusading for laws to curb the trade in what she calls “digital weapons.”

Of course, software vendors test their software for vulnerabilities before shipping. But today’s software package is large and complicated. Some vendors field a package as a beta version to a select number of clients to work out the kinks before production begins. Others employ testing companies or hackers to “beat the software to death”.

Minimizing the impact of zero-day exploits

Once the software has shipped, some vendors attempt to minimize the impact of zero-day exploits by finding bugs before the hackers do. Vendors scout popular hacker sites, blogs, and social sites for intelligence. Most famously, they offer “bug bounties”, monetary rewards for a documented bug. Bounties normally range between $100 and $500.

Hackers enticed by these offers are willing to join subscription-only websites such as bugcrowd.com and hackerone.com to find unpublicized bounty programs. Most premier software vendors (except Apple) have such programs. These include the Facebook Whitehat Program, Google Vulnerability Reward Program, Microsoft Online Services Bug Bounty Program, and the Mozilla Bug Bounty.

These programs are an about-face from vendors’ typcial attitudes about vulnerabilities just a few years ago. Academics, let alone hackers, who sent information about vulnerabilities to a vendor might be threatened with legal action if they disclosed the vulnerabilities.

The controversy over disclosure

Disclosure is hotly contested. Some believe that it leads to more attacks. Others think that without at least the threat of disclosure, a software vendor has no impetus to create a patch. Keep in mind that vulnerabilities affect the user much more than they affect the vendor. The user has already paid for the software. Vendors respond only if the user community demands fixes. This means that vendors tend to create patches only for software with a large installed base.

There are two main approaches to disclosure:

“Full disclosure” reveals all the details of vulnerability, putting pressure on the vendor to find a fix quickly.
In the US, “responsible disclosure” occurs when the vendor is notified confidentially two weeks before CERT (Computer Emergency Readiness Team) is notified. Then the vendor has a 45 day grace period to publish a security advisory. Theoretically, this gives the vendor time to code and release a fix.

Once a vulnerability is exposed, it is listed in a publicly-accessible system called Common Vulnerabilities and Exposures at https://cve.mitre.org/ , where each vulnerability is classified scored using the Common Vulnerability Scoring System.

Eventually the vulnerability becomes known

A vulnerability can also be found by the software vendor itself. In this case, the vendor tends to keep it under wraps until a fix is ready for distribution. In some cases, though, it is publicly announced if users could take some action to avoid the problem. For example, if the bug in accounting software occurs only during quarter-end processing, that activity can be postponed until a patch is in place.

If the vulnerability is publicly known, but the vendor has no fix, then hackers launch zero-day attacks. What protects the user until the patch is available? There is no single solution to protect a network from all zero-day attacks; there are too many variations of vulnerabilities that require different remedies. However, even if your system is a target, antispam, antivirus, using virtual local area networks (LANs) to protect transmitted data, using a secure Wi-Fi system to protect against wireless malware attacks and content filtering software can fend off many exploits.

When the fix is in

After a patch has been distributed, you would be surprised how many users do not apply it in a timely manner. It is critical for network security to keep software updated. This includes browsers, operating systems, browser plug-ins, and applications such as Microsoft Office. Malware writers quickly exploit vulnerabilities in older versions of popular software.

In fact, most exploits occur because users do not patch their software and hardware for known vulnerabilities. According to FireEye, there have been 21 zero-day exploits over a period of more than 2 years involving Internet Explorer, Microsoft Office, Adobe Flash, Java, and others. These exploits have undoubtedly been used for attacks, but their numbers pale in comparison with the overall number of exploits that have been patched by vendors.

Microsoft releases its monthly security updates on Patch Tuesday, the second Tuesday of each month. Hackers know the Microsoft patch cycle, and target Microsoft software immediately after it delivers the updates. It is then that they reverse-engineer the update code to create exploits. (FYI: Important security updates are not held until Patch Tuesday. That is why users receive a smattering of fixes throughout the month.)

Companies of all sizes are at risk from such malware. Don’t leave the safety of your critical information to chance. Your company’s data is too valuable to be left unprotected and requires a comprehensive layered approach to security to keep it safe from harm.

Sign up to the TitanHQ blog below and stay up to date with all the latest email and web security news.